[JIRA] [git-plugin] (JENKINS-28335) Step to run Git commands w/ credentials & tool (was: GitPublisher support)

268 views
Skip to first unread message

jglick@cloudbees.com (JIRA)

unread,
Nov 16, 2015, 8:32:02 PM11/16/15
to jenkinsc...@googlegroups.com
Jesse Glick assigned an issue to Unassigned
 
Jenkins / New Feature JENKINS-28335
Step to run Git commands w/ credentials & tool (was: GitPublisher support)
Change By: Jesse Glick
Assignee: Nicolas De Loof
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265)
Atlassian logo

jglick@cloudbees.com (JIRA)

unread,
Nov 16, 2015, 8:32:02 PM11/16/15
to jenkinsc...@googlegroups.com
Jesse Glick updated an issue
Change By: Jesse Glick
Summary: Be able Step  to  use  run Git commands w/ credentials & tool (was:  GitPublisher  in a workflow  support)

sverre.moe@gmail.com (JIRA)

unread,
May 19, 2016, 3:24:02 AM5/19/16
to jenkinsc...@googlegroups.com
Sverre Moe commented on New Feature JENKINS-28335
 
Re: Step to run Git commands w/ credentials & tool (was: GitPublisher support)

Meanwhile it is possible to use Groovy Post-build within Pipeline (formerly Workflow).

Using this script one could publish git tags:

Unable to find source-code formatter for language: groovy. Available languages are: actionscript, html, java, javascript, none, sql, xhtml, xml 
def build = manager.build
def workspace = build.getWorkspace()
def listener = manager.listener
def environment = build.getEnvironment(listener)

final def project = build.getProject()
final def gitScm = project.getScm()
final GitClient gitClient = gitScm.createClient(listener, environment, build, workspace);

final def gitTagName = "TAG_NAME"
final def comment = "COMMENT"
final def remoteURI = new URIish("origin")

gitClient.tag(gitTagName, comment)
gitClient.push().tags(true).to(remoteURI).execute()

sverre.moe@gmail.com (JIRA)

unread,
May 19, 2016, 3:25:01 AM5/19/16
to jenkinsc...@googlegroups.com
Sverre Moe edited a comment on New Feature JENKINS-28335
Meanwhile it is possible to use Groovy Post-build within Pipeline (formerly Workflow).

Using this script one could publish git tags:
{code: groovy java }

def build = manager.build
def workspace = build.getWorkspace()
def listener = manager.listener
def environment = build.getEnvironment(listener)

final def project = build.getProject()
final def gitScm = project.getScm()
final GitClient gitClient = gitScm.createClient(listener, environment, build, workspace);

final def gitTagName = "TAG_NAME"
final def comment = "COMMENT"
final def remoteURI = new URIish("origin")

gitClient.tag(gitTagName, comment)
gitClient.push().tags(true).to(remoteURI).execute()
{code}

sasha@virtoway.com (JIRA)

unread,
Jun 8, 2016, 4:58:01 PM6/8/16
to jenkinsc...@googlegroups.com

Sverre Moe I tried adding your script to Jenkinsfile (the actual jenkinsfile is here: https://github.com/VirtoCommerce/vc-module-core/blob/eeee111fb33e12f93c9bf64988a193627dfb533a/Jenkinsfile) but get the following error:

groovy.lang.MissingPropertyException: No such property: manager for class: groovy.lang.Binding
at groovy.lang.Binding.getVariable(Binding.java:63)
at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetProperty(SandboxInterceptor.java:224)
at org.kohsuke.groovy.sandbox.impl.Checker$4.call(Checker.java:241)
at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:238)

What am I doing wrong? Ideally I'd like to commit the file changed during the build (version file).

sasha@virtoway.com (JIRA)

unread,
Jun 8, 2016, 5:39:02 PM6/8/16
to jenkinsc...@googlegroups.com
[~djviking]  I tried adding your script to Jenkinsfile  How do you run postbuild from within jenkinsfile itself, the "manager" object is not available when it runs  (the actual jenkinsfile is here: https://github.com/VirtoCommerce/vc-module-core/blob/eeee111fb33e12f93c9bf64988a193627dfb533a/Jenkinsfile)  but get the following error:  
groovy.lang.MissingPropertyException: No such property: manager for class: groovy.lang.Binding
at groovy.lang.Binding.getVariable(Binding.java:63)
at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetProperty(SandboxInterceptor.java:224)
at org.kohsuke.groovy.sandbox.impl.Checker$4.call(Checker.java:241)
at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:238)

What am I doing wrong?  Ideally I'd like to commit the file changed during the build (version file).

arthur.vanduynhoven@gmail.com (JIRA)

unread,
Jun 13, 2016, 8:53:01 AM6/13/16
to jenkinsc...@googlegroups.com
Art V commented on New Feature JENKINS-28335

I also had issues with this.. What I did is use the sshagent plugin and ran the git tag commands inside this. It may not be as flexible/robust as above, but an easier straight forward workaround until we have a better solution to get the GitSCM client. I have not done much testing but hope this helps you in the meantime.

def call(String tag, String comment, String credentialsId, String repoName = 'origin') {
    sshagent([credentialsId]) {
        sh("git tag -a -f -m '${comment}' ${tag}")
        sh("git -c core.askpass=true push ${repoName} ${tag}")
    }
}

sverre.moe@gmail.com (JIRA)

unread,
Jun 20, 2016, 1:47:01 AM6/20/16
to jenkinsc...@googlegroups.com

How do you run postbuild from within jenkinsfile itself, the "manager" object is not available when it runs

The manager object should be available if you have installed the Groovy Postbuild Plugin.
This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c)
Atlassian logo

victorchang@live.com (JIRA)

unread,
Jul 7, 2016, 12:22:05 PM7/7/16
to jenkinsc...@googlegroups.com
mocsharp commented on New Feature JENKINS-28335

Sverre Boschman I tried the code you've provided but am getting the following error:

Build Failed: org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: unclassified method org.jenkinsci.plugins.workflow.job.WorkflowRun getWorkspace

org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: unclassified method org.jenkinsci.plugins.workflow.job.WorkflowRun getWorkspace
	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:113)
	at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:149)
	at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:146)
	at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.methodCall(SandboxInvoker.java:15)
	at WorkflowScript.stageTagBuild(WorkflowScript:234)
	at WorkflowScript.run(WorkflowScript:52)
	at ___cps.transform___(Native Method)
	at com.cloudbees.groovy.cps.impl.ContinuationGroup.methodCall(ContinuationGroup.java:55)
	at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.dispatchOrArg(FunctionCallBlock.java:106)
	at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.fixName(FunctionCallBlock.java:74)
	at sun.reflect.GeneratedMethodAccessor274.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.lang.reflect.Method.invoke(Unknown Source)
	at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72)
	at com.cloudbees.groovy.cps.impl.ConstantBlock.eval(ConstantBlock.java:21)
	at com.cloudbees.groovy.cps.Next.step(Next.java:58)
	at com.cloudbees.groovy.cps.Continuable.run0(Continuable.java:154)
	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.access$001(SandboxContinuable.java:18)
	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:32)
	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:29)
	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.runInSandbox(GroovySandbox.java:108)
	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.run0(SandboxContinuable.java:29)
	at org.jenkinsci.plugins.workflow.cps.CpsThread.runNextChunk(CpsThread.java:164)
	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.run(CpsThreadGroup.java:297)
	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.access$000(CpsThreadGroup.java:78)
	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:206)
	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:204)
	at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$2.call(CpsVmExecutorService.java:47)
	at java.util.concurrent.FutureTask.run(Unknown Source)
	at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:112)
	at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)
	at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
	at java.util.concurrent.FutureTask.run(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)

Any idea? Thanks!

victorchang@live.com (JIRA)

unread,
Jul 7, 2016, 12:43:09 PM7/7/16
to jenkinsc...@googlegroups.com
mocsharp edited a comment on New Feature JENKINS-28335
[~sverre_boschman] I tried the code you've provided but am getting the following error:


{noformat}

Build Failed: org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: unclassified method org.jenkinsci.plugins.workflow.job.WorkflowRun getWorkspace
{noformat}


{noformat}
{noformat}

Any idea? Thanks!

Edit: nvm.  I used pwd() instead.

victorchang@live.com (JIRA)

unread,
Jul 7, 2016, 1:23:01 PM7/7/16
to jenkinsc...@googlegroups.com
- Edit: nvm.  I used pwd() instead. -

Edit: getting the following as well:

{noformat}
Build Failed: org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: unclassified method org.jenkinsci.plugins.workflow.job.WorkflowRun getProject
{noformat}

russell.gallop@gmail.com (JIRA)

unread,
Jul 13, 2016, 11:55:02 AM7/13/16
to jenkinsc...@googlegroups.com

The workaround published in https://github.com/jenkinsci/pipeline-examples/blob/master/pipeline-examples/push-git-repo/pushGitRepo.Groovy doesn't work with special characters in the password (e.g. @). You can get around that by URL encoding the password:

withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: 'MyID', usernameVariable: 'GIT_USERNAME', passwordVariable: 'GIT_PASSWORD']]) {
    String encoded_password = java.net.URLEncoder.encode(env.GIT_PASSWORD, "UTF-8")
    sh("git tag -a some_tag -m 'Jenkins'")
    sh("git push https://${env.GIT_USERNAME}:${encoded_password}@<REPO> --tags")
}

but this defeats the credential binding attempts to obscure the password in the console output. Could do with a proper fix.

leandro.freitas@softdevelop.com.br (JIRA)

unread,
Jul 20, 2016, 1:16:02 PM7/20/16
to jenkinsc...@googlegroups.com

+1

bargemayur05@gmail.com (JIRA)

unread,
Aug 22, 2016, 5:32:02 AM8/22/16
to jenkinsc...@googlegroups.com

Hi Jesse Glick
Greetings !
Are there any plans to get GitPublisher working soon ?
OR to fix the special characters issue mentioned by Russell Gallop

Thanks Russell Gallop for the workaround. But as you mentioned it shows password in the console output. Any other suggestions ?

kabakv@gmail.com (JIRA)

unread,
Aug 29, 2016, 2:14:05 AM8/29/16
to jenkinsc...@googlegroups.com

Hello,
need the pipeline functioning ASAP
could you please provide such feature?
thanks

dcsobral@gmail.com (JIRA)

unread,
Aug 29, 2016, 5:01:10 PM8/29/16
to jenkinsc...@googlegroups.com

Workaround:

    withCredentials([[$class  : 'FileBinding', credentialsId: 'your-credential-id',
                      variable: 'CREDENTIALS']]) {
        sh 'git config --local credential.username RepoUserName'
        sh "git config --local credential.helper 'store --file=${env.CREDENTIALS}'"

        sh "git do-your-stuff"

        sh 'git config --local --remove-section credential'
    }

See git man page for the git store credential for information on the file format.

dcsobral@gmail.com (JIRA)

unread,
Aug 29, 2016, 5:03:08 PM8/29/16
to jenkinsc...@googlegroups.com

Mind you, it doesn't work for submodules. Submodules have a fundamental flaw: they are repos on their own, so the credentials for the module that include them does not apply, but you can't set local credentials for them before they are fetched. Catch-22.

For submodules, either use relative paths, SSH keys, or run a sed on the URL of .gitmodules.

driesdesmet@gmail.com (JIRA)

unread,
Aug 31, 2016, 9:36:06 AM8/31/16
to jenkinsc...@googlegroups.com

Daniel Sobral Do you by any chance know why the following script: (which I found as an alternative to the one above), gives the following error?

fatal: repository 'https://***:***@github.com/ourorg/therepo.git/' not found

withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: '48bfc941-310e-4a0b-bf87-15bc4c4e06cd',
usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD']]) {
sh "git checkout develop"
sh "git checkout master"
sh "git merge develop"
sh "git tag " + versionLabel
sh "git push 'https://$

{env.USERNAME}

:$

{env.PASSWORD}

@github.com/ourorg/therepo.git' --tags"
}

The command works fine with the ' , I triple checked spelling & tried different quotes, but it keeps saying that it can't find the repo.

driesdesmet@gmail.com (JIRA)

unread,
Aug 31, 2016, 9:37:06 AM8/31/16
to jenkinsc...@googlegroups.com
Dries De Smet edited a comment on New Feature JENKINS-28335
[~dcsobral] Do you by any chance know why the following script: (which I found as an alternative to the one above), gives the following error?
{code:java}
 fatal: repository 'https://****:****@github.com/ourorg/therepo.git/' not found


withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: '48bfc941-310e-4a0b-bf87-15bc4c4e06cd',
                     usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD']]) {
        sh "git checkout develop"
        sh "git checkout master"
        sh "git merge develop"
        sh "git tag " + versionLabel
        sh "git push 'https://${env.USERNAME}:${env.PASSWORD}@github.com/ourorg/therepo.git' --tags"
    }
{code}


The command works fine with the ' , I triple checked spelling & tried different quotes, but it keeps saying that it can't find the repo.

driesdesmet@gmail.com (JIRA)

unread,
Aug 31, 2016, 10:12:04 AM8/31/16
to jenkinsc...@googlegroups.com
Dries De Smet edited a comment on New Feature JENKINS-28335
[~dcsobral] Do you by any chance know why the following script: (which I found as an alternative to the one above), gives the following error?


{code:java}
fatal: repository 'https://****:****@github.com/ourorg/therepo.git/' not found

withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: '48bfc941-310e-4a0b-bf87-15bc4c4e06cd',
                     usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD']]) {
        sh "git checkout develop"
        sh "git checkout master"
        sh "git merge develop"
        sh "git tag " + versionLabel
        sh "git push 'https://${env.USERNAME}:${env.PASSWORD}@github.com/ourorg/therepo.git' --tags"
    }
{code}
The Locally, the command works fine with the ' , I triple checked spelling & tried different quotes, but in the pipeline it keeps saying that it can't find the repo.

ruslan.bondarau@gmail.com (JIRA)

unread,
Sep 1, 2016, 6:51:01 AM9/1/16
to jenkinsc...@googlegroups.com

withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: '9e5r57b0-5649-3d65-rt41-e900d8c76774', passwordVariable: 'GIT_PASSWORD', usernameVariable: 'GIT_USERNAME']])
{
sh "git tag -a some_tag$

{env.BUILD_NUMBER} -m 'Jenkins'"
sh ("git -c core.askpass=true push https://${env.GIT_USERNAME}:${env.GIT_PASSWORD}@github.com/some-tag/some-tag.git some_tag${env.BUILD_NUMBER}

")

ruslan.bondarau@gmail.com (JIRA)

unread,
Sep 1, 2016, 6:52:05 AM9/1/16
to jenkinsc...@googlegroups.com
Ruslan Bondarau edited a comment on New Feature JENKINS-28335
^
{code:java}
withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: '9e5r57b0-5649-3d65-rt41-e900d8c76774', passwordVariable: 'GIT_PASSWORD', usernameVariable: 'GIT_USERNAME']])
{
    sh "git tag -a some_tag${env.BUILD_NUMBER} -m 'Jenkins'"
    sh ("git -c core.askpass=true push https://${env.GIT_USERNAME}:${env.GIT_PASSWORD}@github.com/some-tag/some-tag.git some_tag${env.BUILD_NUMBER}") ^
{code}

ruslan.bondarau@gmail.com (JIRA)

unread,
Sep 1, 2016, 6:52:05 AM9/1/16
to jenkinsc...@googlegroups.com
Ruslan Bondarau edited a comment on New Feature JENKINS-28335
^ withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: '9e5r57b0-5649-3d65-rt41-e900d8c76774', passwordVariable: 'GIT_PASSWORD', usernameVariable: 'GIT_USERNAME']])

{
    sh "git tag -a some_tag${env.BUILD_NUMBER} -m 'Jenkins'"
    sh ("git -c core.askpass=true push https://${env.GIT_USERNAME}:${env.GIT_PASSWORD}@github.com/some-tag/some-tag.git some_tag${env.BUILD_NUMBER}")
^

ruslan.bondarau@gmail.com (JIRA)

unread,
Sep 1, 2016, 7:04:03 AM9/1/16
to jenkinsc...@googlegroups.com
Ruslan Bondarau edited a comment on New Feature JENKINS-28335

{code:java}

withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: '9e5r57b0-5649-3d65-rt41-e900d8c76774', passwordVariable: 'GIT_PASSWORD', usernameVariable: 'GIT_USERNAME']])
{
    sh "git tag -a some_tag${env.BUILD_NUMBER} -m 'Jenkins'"
    sh ("git -c core.askpass=true push https://${env.GIT_USERNAME}:${env.GIT_PASSWORD}@github.com/some-tag/some-tag.git some_tag${env.BUILD_NUMBER}")
}
 {code}

pangalz@gmail.com (JIRA)

unread,
Sep 5, 2016, 9:56:02 AM9/5/16
to jenkinsc...@googlegroups.com

There's a workaround using ssh-agent-plugin:

sshagent(['git-credentials-id']) {
      sh "git push origin master"
}

amaksoft@gmail.com (JIRA)

unread,
Sep 20, 2016, 4:11:03 AM9/20/16
to jenkinsc...@googlegroups.com

I want to share my Jenkins Pipeline setup and my solution to publish my changes/tags to git repo via SSH (While this task is under development). Зlease check it out for more info, any improvement ideas are welcome
In short you just add file git_push_ssh.groovy to your project and call method pushSSH() from Jenkinsfile like this:

 env.BRANCH_NAME = "mycoolbranch"// BRANCH_NAME is predefined in multibranch pipeline job
 env.J_GIT_CONFIG = "true"
 env.J_USERNAME = "Jenkins CI"
 env.J_EMAIL = "jenki...@example.com"
 env.J_CREDS_IDS = '02aa92ec-593e-4a90-ac85-3f43a06cfae3' // Use credentials id from Jenkins
 def gitLib = load "git_push_ssh.groovy"
 ...
 gitLib.pushSSH(commitMsg: "Jenkins build #${env.BUILD_NUMBER}", tagName: "build-${env.BUILD_NUMBER}", files: "changelog.txt someotherfile.txt");

amaksoft@gmail.com (JIRA)

unread,
Sep 20, 2016, 4:12:06 AM9/20/16
to jenkinsc...@googlegroups.com
Andrey Makeev edited a comment on New Feature JENKINS-28335
I want to share [my Jenkins Pipeline setup|https://gist.github.com/amaksoft/b17408303d69c71498eaa39ea2ee3b01] and my solution to publish my changes/tags to git repo via SSH (While this task is under development). Зlease Please check it out for more info, any improvement ideas are welcome

In short you just add file git_push_ssh.groovy to your project and call method pushSSH() from Jenkinsfile like this:

{code:java}

env.BRANCH_NAME = "mycoolbranch"// BRANCH_NAME is predefined in multibranch pipeline job
env.J_GIT_CONFIG = "true"
env.J_USERNAME = "Jenkins CI"
env.J_EMAIL = "jenki...@example.com"
env.J_CREDS_IDS = '02aa92ec-593e-4a90-ac85-3f43a06cfae3' // Use credentials id from Jenkins
def gitLib = load "git_push_ssh.groovy"
...
gitLib.pushSSH(commitMsg: "Jenkins build #${env.BUILD_NUMBER}", tagName: "build-${env.BUILD_NUMBER}", files: "changelog.txt someotherfile.txt");
{code}

amaksoft@gmail.com (JIRA)

unread,
Sep 20, 2016, 4:18:15 AM9/20/16
to jenkinsc...@googlegroups.com
Andrey Makeev edited a comment on New Feature JENKINS-28335
I want to share [my Jenkins Pipeline setup|https://gist.github.com/amaksoft/b17408303d69c71498eaa39ea2ee3b01] and my solution to publish my changes/tags to git repo via SSH (While this task is under development). Please check it out for more info, any improvement ideas are welcome

In short you just add file git_push_ssh.groovy to your project and call method pushSSH() from Jenkinsfile like this:

{code:java}
env.BRANCH_NAME = "mycoolbranch"// BRANCH_NAME is predefined in multibranch pipeline job
env.J_GIT_CONFIG = "true"
env.J_USERNAME = "Jenkins CI"
env.J_EMAIL = "jenki...@example.com"
env.J_CREDS_IDS = '02aa92ec-593e-4a90-ac85-3f43a06cfae3' // Use credentials id from Jenkins
def gitLib = load "git_push_ssh.groovy"
...
gitLib.pushSSH(commitMsg: "Jenkins build #${env.BUILD_NUMBER}", tagName: "build-${env.BUILD_NUMBER}", files: "changelog.txt someotherfile.txt");
{code}

cowwoc@java.net (JIRA)

unread,
Dec 1, 2016, 5:18:06 PM12/1/16
to jenkinsc...@googlegroups.com
cowwoc commented on New Feature JENKINS-28335

Beware: ssh-agent will not currently work under windows: JENKINS-28279 ("git plugin", such as the "checkout" task will fail to authenticate)

As far as I can tell, the only option under Windows is to pass the username/password to an HTTPS url: http://stackoverflow.com/a/33630506/14731

jimjaeger@gmx.de (JIRA)

unread,
Jan 9, 2017, 12:37:03 PM1/9/17
to jenkinsc...@googlegroups.com

Any Updates for the usage of the GitPublisher in JenkinsFiles?

james.hogarth@gmail.com (JIRA)

unread,
Feb 7, 2017, 7:55:03 AM2/7/17
to jenkinsc...@googlegroups.com

I like the files idea but we needed a user/pass version.

My contribution and modification to this is:

  1. Our ansible deployment configures: 
    - name: configure git username
  become_user: jenkins
  git_config:
    scope: global
    name: user.name
    value: "{{ lookup('env','USER') }}"

- name: configure git email
  become_user: jenkins
  git_config:
    scope: global
    name: user.email
    value: "{{ lookup('env','USER') }}@{{ ansible_hostname }}"

- name: enable git cache credential storage
  become_user: jenkins
  git_config:
    scope: global
    name: credential.helper
    value: cache
  2. The jenkins pipeline contains: 
    stage("tag the commit with datetime") {
  withCredentials([usernamePassword(credentialsId: 'my_cred_id' usernameVariable: 'GIT_USERNAME', passwordVariable: 'GIT_PASSWORD')]) {

  // use date for tag
  def tag = new Date().format("yyyyMMddHHmm")

  // configure the git credentials, these are cached in RAM for several minutes to use
  // this is required until https://issues.jenkins-ci.org/browse/JENKINS-28335 is resolved upstream
  sh "echo 'protocol=https\nhost=<git-host-goes-here>\nusername=${GIT_USERNAME}\npassword=${GIT_PASSWORD}\n\n' | git credential approve "

  sh "git tag -a ${tag} -m '${USER} tagging'"
  sh "git push --tags"
  }
}

This example uses new Date() which needs whitelisting right now but could easily be BUILD_ID if you were sure that you'd never need to rebuild, and lose an incrementing BUILD_ID, or whatever other metric/value was preferred.

andrew.paul.gray@gmail.com (JIRA)

unread,
Apr 9, 2018, 11:15:05 PM4/9/18
to jenkinsc...@googlegroups.com

Is this going to be fixed anytime soon?
This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e)
Atlassian logo

skbp@viessmann.com (JIRA)

unread,
Apr 10, 2018, 3:35:03 AM4/10/18
to jenkinsc...@googlegroups.com

I added this issue as a project idea for GSoC 2018 but I hope that this issue will be fixed before summer. I don't think that a student will take this project but hope dies last 

andrew.paul.gray@gmail.com (JIRA)

unread,
Apr 10, 2018, 4:09:05 AM4/10/18
to jenkinsc...@googlegroups.com

I find it amazing that there are still these massive glaring gaps in functionality (esp for Git) in critical functions all over declarative pipeline.

 

They're supposed to be the future but not there yet.

kawiering@yahoo.com (JIRA)

unread,
Apr 20, 2018, 8:14:03 AM4/20/18
to jenkinsc...@googlegroups.com

The CLI scripted work-around is functional. That is the problem. Andrew Gray.

trane9991@gmail.com (JIRA)

unread,
Sep 20, 2018, 11:45:20 AM9/20/18
to jenkinsc...@googlegroups.com

A bit cleaner workaround here:

    withCredentials([sshUserPrivateKey(credentialsId: 'github-rw-key', keyFileVariable: 'GITHUB_KEY')]) {
        withEnv(["GIT_SSH_COMMAND=ssh -i $GITHUB_KEY -o StrictHostKeyChecking=no"]) {
            git clone/push git@...
        }
    }
This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

trane9991@gmail.com (JIRA)

unread,
Sep 20, 2018, 11:46:08 AM9/20/18
to jenkinsc...@googlegroups.com
Taras Postument edited a comment on New Feature JENKINS-28335
A bit cleaner workaround here:
{code:java}
    withCredentials([sshUserPrivateKey(credentialsId: ' your- github- rw- key -id ', keyFileVariable: 'GITHUB_KEY')]) {

        withEnv(["GIT_SSH_COMMAND=ssh -i $GITHUB_KEY -o StrictHostKeyChecking=no"]) {
            git clone/push git@...
        }
    }
{code}

josh@hoblitt.com (JIRA)

unread,
Sep 20, 2018, 11:53:04 AM9/20/18
to jenkinsc...@googlegroups.com

Its preferable to avoid writing secrets to the workspace. Although, ssh agent could theoretically be accessed from another worker by figuring out the SSH_AUTH_SOCK.

withEnv(['GIT_SSH_COMMAND=ssh -o StrictHostKeyChecking=no']) {
  sshagent(credentials: ['your-github-key']) {
  ...
  }
}

jglick@cloudbees.com (JIRA)

unread,
Sep 24, 2018, 8:27:05 PM9/24/18
to jenkinsc...@googlegroups.com

The sshagent step is more convenient, but it boils down to more or less the same thing. withCredentials does not write files to the workspace per se, but to an @tmp sibling directory.

DTaylorBusiness@gmail.com (JIRA)

unread,
Oct 10, 2018, 1:55:04 PM10/10/18
to jenkinsc...@googlegroups.com

any updates would be appreciated. my team is working on pipelines and we need this plugin to be updated in order to push back to Bitbucket from windows without using ssh keys.

claus@buus-schneider.dk (JIRA)

unread,
Oct 10, 2018, 3:10:50 PM10/10/18
to jenkinsc...@googlegroups.com

You can consider using https://wiki.jenkins.io/display/JENKINS/Pretested+Integration+Plugin if it matches your needs. If not feel free to propose your missing needs..

It is using the credentials from the Git SCM plugin and uses it in the "publisher". It supports http/windows ..

DTaylorBusiness@gmail.com (JIRA)

unread,
Oct 10, 2018, 3:23:03 PM10/10/18
to jenkinsc...@googlegroups.com

Claus Schneider thank you for the plugin recommendation. we will look at this and see what works!

DTaylorBusiness@gmail.com (JIRA)

unread,
Oct 17, 2018, 10:06:04 AM10/17/18
to jenkinsc...@googlegroups.com

Claus Schneider we've looked at the pre-tested plugin and we're not sure if it will fit with what we're trying to do. we really just need a way to push changes back to Bitbucket without using SSH keys from the build machine. The Git Plugin / Git Publisher plugin should allow for this but we're not sure how to implement it yet.

jglick@cloudbees.com (JIRA)

unread,
Oct 18, 2018, 12:09:13 AM10/18/18
to jenkinsc...@googlegroups.com

As already noted in this issue, you can already use withCredentials or sshagent to accomplish this use case. This enhancement would simply make it more convenient.

ruslan.zenin@gmail.com (JIRA)

unread,
Oct 23, 2018, 9:08:05 AM10/23/18
to jenkinsc...@googlegroups.com

Hi Jesse Glick . would it be possible to provide a sample pipeline script how we can accomplish "git push withCredentials or sshagent"? There is a use case for my team to build projects and change some of the artifacts and then push back to the SCM.
Thank you in advance!

ruslan.zenin@gmail.com (JIRA)

unread,
Oct 23, 2018, 9:37:15 AM10/23/18
to jenkinsc...@googlegroups.com
Ruslan Zenin edited a comment on New Feature JENKINS-28335
Hi [~jglick] . would it be possible to provide a sample pipeline script how we can accomplish _"git push withCredentials or sshagent"_? There is a use case for my team to build projects and change some of the artifacts and then push back to the SCM.
Thank you in advance!
Note: I found this example: [https://jenkins.io/doc/pipeline/examples/#push-git-repo]

withCredentials([usernamePassword(credentialsId: 'git-pass-credentials-ID', passwordVariable: 'GIT_PASSWORD', usernameVariable: 'GIT_USERNAME')]) \{ sh("git tag -a some_tag -m 'Jenkins'") sh('git push https://${GIT_USERNAME}:${GIT_PASSWORD}@<REPO> --tags') }

kodstark@gmail.com (JIRA)

unread,
Oct 25, 2018, 1:06:04 PM10/25/18
to jenkinsc...@googlegroups.com

Ruslan Zenin Above there are examples working for me with ssh key. I didn't check how to use credentials with password if you are asking about this case specific.

sshagent(['credentiald-id-using-ssh-key']) 
 {
    sh('git command or program calling git inside') 
 }

ruslan.zenin@gmail.com (JIRA)

unread,
Oct 26, 2018, 11:11:04 AM10/26/18
to jenkinsc...@googlegroups.com

Thank you! That worked for me!

ruslan.zenin@gmail.com (JIRA)

unread,
Oct 26, 2018, 11:14:02 AM10/26/18
to jenkinsc...@googlegroups.com
Ruslan Zenin edited a comment on New Feature JENKINS-28335
[~kodstark] Thank you! That worked for me!

drdamour@gmail.com (JIRA)

unread,
Feb 18, 2019, 5:55:04 PM2/18/19
to jenkinsc...@googlegroups.com

we had been using the sshagent workaround, but recently changed to using the "Checkout over SSH" git scm custom behaviour.  This made the sshagent wrapper unecessary in the scripts (i'm guessing cause it basically wraps your whole pipeline as such..kind of). Not sure how portable this is to windows or non git environments but was easier for us.

drdamour@gmail.com (JIRA)

unread,
Feb 18, 2019, 5:59:07 PM2/18/19
to jenkinsc...@googlegroups.com
chirs damour edited a comment on New Feature JENKINS-28335
we had been using the sshagent workaround, but recently changed to using the "Checkout over SSH" git scm custom behaviour.  This made the sshagent wrapper unecessary in the scripts (i'm guessing cause it basically wraps your whole pipeline as such..kind of). Not sure how portable this is to windows or non git environments but was easier for us.


Also to control the commit/author email was used the *Custom user name/e-mail address* custom behaviour

bruder@bruder.dk (JIRA)

unread,
Mar 19, 2019, 6:53:12 PM3/19/19
to jenkinsc...@googlegroups.com

I'm trying to get a post-build git push --tags to work on windows using user/pass with jenkins credentials. The git plugin fetches from a remote private repo this way without problems, but I can't get authentication to work when invoking git through windows batch, or groovy as suggested in https://issues.jenkins-ci.org/browse/JENKINS-28335?focusedCommentId=258095&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-258095 above. Shouldn't git operations through the git client in groovy work, if things like fetch, performed by the git plugin, work?

 

 

bruder@bruder.dk (JIRA)

unread,
Mar 20, 2019, 6:20:07 AM3/20/19
to jenkinsc...@googlegroups.com
Jesper Matthiesen edited a comment on New Feature JENKINS-28335
I'm trying to get a post-build git push --tags to work on windows using user/pass with jenkins credentials outside of pipeline/workflow . The git plugin fetches from a remote private repo this way without problems, but I can't get authentication to work when invoking git through windows batch, or groovy as suggested in https://issues.jenkins-ci.org/browse/JENKINS-28335?focusedCommentId=258095&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-258095 above. Shouldn't git operations through the git client in groovy work, if things like fetch, performed by the git plugin, work?

 
When fetching, 'using GIT_ASKPASS' is printed in the log, but when I try to tag, it isn't, so maybe that's a hint?

 

bruder@bruder.dk (JIRA)

unread,
Mar 20, 2019, 6:50:50 AM3/20/19
to jenkinsc...@googlegroups.com
Jesper Matthiesen edited a comment on New Feature JENKINS-28335
I'm trying to get a post-build git push --tags to work on windows using user/pass with jenkins credentials outside of pipeline/workflow. The git plugin fetches from a remote private repo this way without problems, but I can't get authentication to work when invoking git through windows batch, or groovy as suggested in https://issues.jenkins-ci.org/browse/JENKINS-28335?focusedCommentId=258095&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-258095 above. Shouldn't git operations through the git client in groovy work, if things like fetch, performed by the git plugin, work?

When fetching, 'using GIT_ASKPASS to set credentials ' is printed in the log, but when I try to tag, it isn't, so maybe that's a hint?


  Failing push:
{code:java}
using credential dd64d000-6f87-4271-90dd-58babca8bb5e
> git.exe --version # timeout=10
> git.exe push origin --tags
ERROR: Failed to evaluate groovy script.
hudson.plugins.git.GitException: Command "git.exe push origin --tags" returned status code 128:
stdout:
stderr: remote: Invalid username or password
fatal: Authentication failed for 'https://na...@bitbucket.org/.../...git/' {code}

bruder@bruder.dk (JIRA)

unread,
Mar 20, 2019, 6:50:53 AM3/20/19
to jenkinsc...@googlegroups.com
Jesper Matthiesen edited a comment on New Feature JENKINS-28335
I'm trying to get a post-build git push --tags to work on windows using user/pass with jenkins credentials outside of pipeline/workflow. The git plugin fetches from a remote private repo this way without problems, but I can't get authentication to work when invoking git through windows batch, or groovy as suggested in https://issues.jenkins-ci.org/browse/JENKINS-28335?focusedCommentId=258095&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-258095 above. Shouldn't git operations through the git client in groovy work, if things like fetch, performed by the git plugin, work?

When fetching, 'using GIT_ASKPASS to set credentials' is printed in the log console , but when I try to tag, it isn't, so maybe that's a hint?


 Failing push:
{code:java}
using credential dd64d000-6f87-4271-90dd-58babca8bb5e
> git.exe --version # timeout=10
> git.exe push origin --tags
ERROR: Failed to evaluate groovy script.
hudson.plugins.git.GitException: Command "git.exe push origin --tags" returned status code 128:
stdout:
stderr: remote: Invalid username or password
fatal: Authentication failed for 'https://na...@bitbucket.org/.../...git/' {code}

medianick@gmail.com (JIRA)

unread,
Mar 20, 2019, 9:44:18 AM3/20/19
to jenkinsc...@googlegroups.com

Jesper Matthiesen, perhaps my answer at https://stackoverflow.com/a/37753202/466874 might help with the authentication specifically? With Git configured as I noted in that answer (basically, disabling the credential.helper), we're using the git CLI successfully on Windows agents to push tags, branches, etc.. After configuring Git this way, the steps we do are 1) bind the Git credentials (to make them available as username/password environment variables), 2) use the https://USERNAME:PASSWORD@URL syntax when pushing anything back to GitHub (e.g., https://foo:b...@github.com/MyRepository).

bruder@bruder.dk (JIRA)

unread,
Mar 21, 2019, 8:52:07 AM3/21/19
to jenkinsc...@googlegroups.com

Nick Jones I've now made it work by converting the job to pipeline and using the withCredentials directive, thereby injecting the credentials into the url myself. I never found a way to access the credentials to do the same with my previous freestyle project.

But what I don't understand is why we must do this credential fetching and url massaging ourselves, i.e. why for instance Sverre Moe's example using the GitClient class directly doesn't (seem to) work.

mjboamail@gmail.com (JIRA)

unread,
Mar 22, 2019, 12:08:05 PM3/22/19
to jenkinsc...@googlegroups.com

I think I've come up with a good workaround. We can set the following at the beginning of our build (declarative pipeline in a Github organization):

sh 'git config --local credential.helper "!p() { echo username=\\$GIT_USERNAME; echo password=\\$GIT_PASSWORD; }; p"'

See git credential helpers

 

Then, when we want to use the credentials we can use a block like the following: 

sh 'git tag -m "" ${VERSION_NUMBER}'
withCredentials([
  usernamePassword(credentialsId: 'github', usernameVariable: 'GIT_USERNAME', passwordVariable: 'GIT_PASSWORD')
]) {
  sh 'git push origin ${VERSION_NUMBER}'
}

This way we don't have to even repeat the URL for the origin remote, which is already set.

 

 

mjboamail@gmail.com (JIRA)

unread,
Mar 25, 2019, 2:12:08 PM3/25/19
to jenkinsc...@googlegroups.com
Michael Beaumont edited a comment on New Feature JENKINS-28335
I think I've come up with a good workaround. We can set the following at the beginning of our build (declarative pipeline in a Github organization):
{code:java}

sh 'git config --local credential.helper "!p() { echo username=\\$GIT_USERNAME; echo password=\\$GIT_PASSWORD; }; p"'


 

Then, when we want to use the credentials we can use a block like the following: 
{code:java}

sh 'git tag -m "" ${VERSION_NUMBER}'
withCredentials([
  usernamePassword(credentialsId: 'github', usernameVariable: 'GIT_USERNAME', passwordVariable: 'GIT_PASSWORD')
]) {
  sh 'git push origin ${VERSION_NUMBER}'
}
{code}

This way we don't have to even repeat the URL for the {{origin}} remote, which is already set.

kari.jaakko.niemi@gmail.com (JIRA)

unread,
Mar 5, 2020, 3:20:28 AM3/5/20
to jenkinsc...@googlegroups.com

Official coudbees provided instructions for the workaround: https://support.cloudbees.com/hc/en-us/articles/360027646491-Pipeline-Equivalent-to-Git-Publisher

...but they have bugs in the examples: withCredentials is used to publish variable GIT_USERNAME  ... and then that variable is referenced with GIT_AUTH_USR in shell step. The same mistake for password variables.
This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38)
Atlassian logo
Reply all
Reply to author
Forward
0 new messages